Logging in Linux

Logging allows us to introspect on our system, to see things like who is logging in, the status of hardware, etc

Log messages will typically contain the process name, process ID, and timestamp of when the event occurred. /var/log is where we can find our logs. Many files in here have a .log extension, however .log is not a strict requirement.

Some log files, like wtmp, are binary. Cat'ing this file will show garbage. We must use the last utility in order to dump the contents of this binary log file and view the log-in log files on your machine.

$ last

btmp is another binary log file that can show us bad logins to our machine. This log file is not only binary in format, but requires superuser privilege in order to view it (using lastb).

$ sudo lastb

For machines running systemd, you will have a logging service called jounrald which serves as a replacement or compliment for syslog. journalctl is the utility that ships with systemd that allows for log file inspection.

To view log outputs to a specific process, or systemd unit more generally, we can run:

$ journalctl -u httpd

To view log outputs to a specific process, or systemd unit more generally in real time, we can run:

$ journalctl -f -u httpd

If you are unsure what systemd unit you are looking for you can list all units in the journal using

$ journalctl -F _SYSTEMD_UNIT

The -S option (since) can be used to filter journalctl entries by time.

$ journalctl -S -4h

journald will delete old log files as a function of how much space is left on the journal's filesystem, how much space the journal should take as a percentage of the filesystem, and what the max journal size is set to. Check journald.conf for more on this.

Some resources:

• journalctl man page

• Guide on linux logging with journalctl

• journalctl tutorial video

• $ curl cht.sh/journalctl ← Run this in your terminal for a summary about the journalctl utility